CVE-2018-1000136

Name of the Vulnerable Software and Affected Versions: Electron versions 1.7 up to 1.7.12 Electron versions 1.8 up to 1.8.3 Electron versions 2.0.0 up to 2.0.0-beta.3

Description: The issue is related to an improper handling of values in Webviews, which can result in remote code execution. This can be exploited via an app that allows execution of 3rd party code, disallows node integration, and has not specified if webview is enabled or disabled. The application must also meet specific conditions, including running on affected Electron versions, allowing execution of arbitrary remote code, disabling Node.js integration, and not explicitly declaring webviewTag as false.

Recommendations: For Electron versions 1.7 up to 1.7.12, update to version 1.7.13 or later. For Electron versions 1.8 up to 1.8.3, update to version 1.8.4 or later. For Electron versions 2.0.0 up to 2.0.0-beta.3, update to version 2.0.0-beta.5 or later. If an update is not possible, mitigate the vulnerability by using the provided code to disable node integration and webviewTag in webPreferences, and prevent new-window events from overriding event.newGuest without using the supplied options tag. Additionally, consider preventing the attachment of webviews if they are not used.